OKCupid’s new blind date app not so blind thanks to data leak

Bug allowed access to birth dates, e-mail addresses.

Blind dates are already both exciting and terrifying—the former because you might meet your future soulmate, and the latter because your date might end up boiling your bunny. That's why a privacy bug in OKCupid's brand new app, Crazy Blind Date, was even more disturbing than usual, even though there's no evidence of that data having been accessed.

The app's goal is to anonymously match you with another dater in your area for, well, a blind date. But the app apparently made users' full e-mail addresses and birth dates easily accessible "to anyone with the right technical skills," the Wall Street Journaldiscovered, thereby voiding much of the app's benefit. Worse, the bug could be used to see the information of anyone nearby who had signed up to use the service—a blind date did not have to be arranged first—putting the personal information of all of the new app's users at risk.

According to the WSJ, the bug came from Crazy Blind Date's API. In addition to the e-mail addresses and birth dates, someone could use the API to grab a Crazy Blind Date user's ID and correlate it to his or her OKCupid profile, potentially finding more information on that person.

OKCupid fixed the hole immediately after being notified by the WSJ of its findings; a version 1.1 is already out on the App Store, and OKCupid CEO Sam Yagan says there's no evidence that the exploit was actually used. (There is also a version of this app for Android devices.) Still, the incident highlights how easily our information can be accessed through various online services, even when they advertise otherwise. Similarly, a recent FTC report found that numerous children's apps on the App Store collect and report personal information to a remote server, even when they explicitly claim that they don't in their privacy policies.

How do you deal with that as a potential online dater? My personal advice for those using Crazy Blind Date is the same for anyone who might be meeting up with strangers: use a separate, non-identifiable e-mail address to register your account, even if the service claims your e-mail won't be made public. It's also a good idea to fudge your birth date a little bit—subtracting 10 years might be a bit much, but moving the date by a few days could help to keep your info more obscure.

22 Reader Comments

How do you deal with that as a potential online dater? My personal advice for those using Crazy Blind Date is the same for anyone who might be meeting up with strangers: use a separate, non-identifiable e-mail address to register your account, even if the service claims your e-mail won't be made public.

I would go a bit further and get a prepaid cell phone to use with this service. Something that you can easily turn off and throw away in case things don't work out as expected.

To be honest, that App sounds like a great idea but looking at its reviews its a swing-and-a-miss. There are horrible restrictions. It would be better if you could set criteria, such as "80% Match or Higher, within 3 years of my age, graduated from college" but it looks like you can't even select the date venue except for locations pre-determined by the app. Add to that security venerability? I'd pass.

Anyhow, while I was on there, I used a separate spam-magnet e-mail address and shifted my date of birth by a few days. Prevention pays off. It beats cleaning up identity theft, or removing a virus off your computer, or whatever.

To be honest, that App sounds like a great idea but looking at its reviews its a swing-and-a-miss. There are horrible restrictions. It would be better if you could set criteria, such as "80% Match or Higher, within 3 years of my age, graduated from college" but it looks like you can't even select the date venue except for locations pre-determined by the app. Add to that security venerability? I'd pass.

God forbid someone has an actual blind date.

For those with control issues I'm sure the traditional methods for attempting to methodically screen out all of your potential soul mates is still accessible on the regular site.

To be honest, that App sounds like a great idea but looking at its reviews its a swing-and-a-miss. There are horrible restrictions. It would be better if you could set criteria, such as "80% Match or Higher, within 3 years of my age, graduated from college" but it looks like you can't even select the date venue except for locations pre-determined by the app. Add to that security venerability? I'd pass.

God forbid someone has an actual blind date.

For those with control issues I'm sure the traditional methods for attempting to methodically screen out of your potential soul mates is still accessible on the regular site.

I think there is a difference between a blind date and a random person. Standard blind dates have the filter of your friends.

To be honest, that App sounds like a great idea but looking at its reviews its a swing-and-a-miss. There are horrible restrictions. It would be better if you could set criteria, such as "80% Match or Higher, within 3 years of my age, graduated from college" but it looks like you can't even select the date venue except for locations pre-determined by the app. Add to that security venerability? I'd pass.

God forbid someone has an actual blind date.

For those with control issues I'm sure the traditional methods for attempting to methodically screen out of your potential soul mates is still accessible on the regular site.

I think there is a difference between a blind date and a random person. Standard blind dates have the filter of your friends.

A real blind date practically is a random person. Either you don't know the person making the recommendation well enough to know their associations, or they don't know the person they're setting you up with well enough to have made you aware of them.

Either way a real blind date isn't something for those with control issues.

A real blind date practically is a random person. Either you don't know the person making the recommendation well enough to know their associations, or they don't know the person they're setting you up with well enough to have made you aware of them.

Either way a real blind date isn't something for those with control issues.

Really? I don't think I know anyone well enough to "know their associations." Even my wife of twenty years has plenty of associations and friends who I don't know, and I know my wife pretty darned well.

How do you deal with that as a potential online dater? My personal advice for those using Crazy Blind Date is the same for anyone who might be meeting up with strangers: use a separate, non-identifiable e-mail address to register your account, even if the service claims your e-mail won't be made public.

I would go a bit further and get a prepaid cell phone to use with this service. Something that you can easily turn off and throw away in case things don't work out as expected.

I think there is a difference between a blind date and a random person. Standard blind dates have the filter of your friends.

A real blind date practically is a random person. Either you don't know the person making the recommendation well enough to know their associations, or they don't know the person they're setting you up with well enough to have made you aware of them.

Blind dates very based on how well the mutual friend knows the two people and how much care they put into the pairing. It could be completely WTF random, or it could be selective match making. It sounds like jack's friends (and this app) tend toward the former, whereas mkuch's social circle (and mine) prefer the latter.

A real blind date practically is a random person. Either you don't know the person making the recommendation well enough to know their associations, or they don't know the person they're setting you up with well enough to have made you aware of them.

Either way a real blind date isn't something for those with control issues.

Really? I don't think I know anyone well enough to "know their associations." Even my wife of twenty years has plenty of associations and friends who I don't know, and I know my wife pretty darned well.

And those people would be who you'd get in a blind date, people whom the most she could say about is something like, "he works in the sales department and seems friendly."

In other words, she'd setting someone up with someone who is really a borderline stranger even to her.

I think there is a difference between a blind date and a random person. Standard blind dates have the filter of your friends.

A real blind date practically is a random person. Either you don't know the person making the recommendation well enough to know their associations, or they don't know the person they're setting you up with well enough to have made you aware of them.

Blind dates very based on how well the mutual friend knows the two people and how much care they put into the pairing. It could be completely WTF random, or it could be selective match making. It sounds like jack's friends (and this app) tend toward the former, whereas mkuch's social circle (and mine) prefer the latter.

Being set up with friends isn't the same as a blind date. Like I said, either you don't know the person well enough to know their friends (thus you're not getting a specifically great match because the person doing the setting up doesn't know you well), or you know them well and they're setting you up with someone on the boundaries of their social circle. (that they don't know that well)

OKCupid fixed the hole immediately after being notified by the WSJ of its findings; a version 1.1 is already out on the App Store, and OKCupid CEO Sam Yagan says there's no evidence that the exploit was actually used. (There is also a version of this app for Android devices.)

Jacqui - This is a good example of the criticism Ars receives in being biased toward Apple coverage occasionally.

This article should've been completely neutral as to which platform the OKC bug was on. The coverage should've at least checked whether both platforms were Affected, and if so (which was the case), mentioned them on equal footing along the lines "OKC has since updated it's app", with nothing to do with app store or anything else.Conscious, neutral coverage from the Apple editor would benefit Ars.

Being set up with friends isn't the same as a blind date. Like I said, either you don't know the person well enough to know their friends (thus you're not getting a specifically great match because the person doing the setting up doesn't know you well), or you know them well and they're setting you up with someone on the boundaries of their social circle. (that they don't know that well)Dating within groups of friends isn't a blind date.

I'd argue that the definition of a blind date is a date with someone that you've never seen before. It could be someone you've become acquainted to online, or via a friend of a friend. Unless you don't equate that latter situation as "dating within groups of friends," I disagree with what you call a blind date.

This article should've been completely neutral as to which platform the OKC bug was on.

The story is at least filed under "Android", "iOS Apps", and "Privacy", if you notice near the author line. *shrug*

Which also makes it even more confusing. The article, as written, is about the iOS app, not about the Android version of the app, but the headline doesn't identify whether it's iOS, Android, Blackberry, or whatever, and it's only when you start reading the article and hit the iTunes link that you realize it, and, even then, there's the unanswered question, "Did this happen in the Android app, too?", especially when she mentions that there's an Android version of the app.

Being set up with friends isn't the same as a blind date. Like I said, either you don't know the person well enough to know their friends (thus you're not getting a specifically great match because the person doing the setting up doesn't know you well), or you know them well and they're setting you up with someone on the boundaries of their social circle. (that they don't know that well)Dating within groups of friends isn't a blind date.

I'd argue that the definition of a blind date is a date with someone that you've never seen before. It could be someone you've become acquainted to online, or via a friend of a friend. Unless you don't equate that latter situation as "dating within groups of friends," I disagree with what you call a blind date.

I'm a bit more restrictive in my definition. I consider a blind date a date set up by a third party between two people who haven't met. I was "set up" with my current girlfriend, because a mutual friend brought her out with a group of friends, and made us both aware we were single. The distinction I hold between being set up and a blind date is the context of the meeting.

I think the hilarious consequence of this app is that on release day, they purposefully hid user images on the main okcupid site to encourage people to try out their new app. Except that no one wants to browse potential dates if you can't see what they look like. I'm certain their traffic must have plummeted -- and in fact they had restored the images by the evening, probably after realizing it was a fucking stupid move.